gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-1719 功能端增加 dynamic bypass 选项 trusted_root_cert_is_not_installed_on_client && TSG-1687 pinning 功能优化

Browse Source
This commit is contained in:
luwenpeng
2020-05-19 18:07:04 +08:00
parent 58f5212d12
commit 05c7528bfd
4 changed files with 24 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -46,6 +46,7 @@ struct decryption_param
int bypass_ct_cert;
int bypass_mutual_auth;
int bypass_pinning;
int bypass_uninstall_cert_traffic;
int bypass_protocol_errors;
int no_verify_cn;
int no_verify_issuer;
@@ -317,7 +318,8 @@ void profile_param_new_cb(int table_id, const char* key, const char* table_line,
if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
item=cJSON_GetObjectItem(exclusions, "protocol_errors");
if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
item=cJSON_GetObjectItem(exclusions, "trusted_root_cert_is_not_installed_on_client");
if(item && item->type==cJSON_Number) param->bypass_uninstall_cert_traffic=item->valueint;
}
ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
if(ssl_ver)
@@ -436,7 +438,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
return SSL_ACTION_PASSTHROUGH;
}
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, app_staus=0;
if(!profile_param->mirror_client_version)
{
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
@@ -458,22 +460,27 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
assert(ret==0);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &app_staus);
assert(ret==0);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev);
assert(ret==0);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
assert(ret==0);
if( (pinning_staus==1 && profile_param->bypass_pinning) ||
if ((pinning_staus==1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ||
(pinning_staus==1 && !app_staus && profile_param->bypass_pinning) ||
(is_mauth && profile_param->bypass_mutual_auth) ||
(is_ev && profile_param->bypass_ev_cert) ||
(is_ct && profile_param->bypass_ct_cert) ||
(has_error && profile_param->bypass_protocol_errors))
{
action=SSL_ACTION_PASSTHROUGH;
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
addr_string, sni, policy_param->policy_id,
((pinning_staus == 1 && profile_param->bypass_pinning) ? 1 : 0),
((pinning_staus == 1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0),
((pinning_staus == 1 && !app_staus && profile_param->bypass_pinning) ? 1 : 0),
((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),